Most companies use contractors for strategic purposes within their development and support organizations. Even the IT team within many companies of different size do so.
Part of getting a contractor integrated into the workflow of a team is making sure that all the usual communication channels are open. So the common practice is to issue a contractor a company laptop and setup a single-sign-on account on the relevant domain controller.
Contractors tend to be highly skilled and versatile in what they can do within a LAN. And since many companies use a WAN to integrate LANs in geographiclly dispersed sites, the skilled contractor gains access to company resources at large, despite perhaps being specifically limited to project work at one site. Since even contracts lasting months or a year are temporary, the contractor by definition never has full allegiance to company interests.
In short, while contractors tend to be highly functional people with notable integrity, an IT team needs to address the structural risk presented by a non-company employee operating on the network with an employee’s ease of use.
Since the contractor is a user within the domain, each login event is recorded. So viewing the event log provides a history of all systems on which the user logs-in; generating a report based on filtering even log transactions would provide an overview for some specified duration (daily, weekly, monthly).
Since the contract-user always uses the same company laptop to access points within the domain, you can more carefully limit and watch user access to the network by creating a DHCP policy that requires the user’s laptop to re-lease an IP every 24 hours.
Often the contractor works out of a temporary workspace with the laptop connected through an IP phone. By monitoring the switch port passing through the IP phone you can see each instance that the laptop (MAC address) connects to the network.
All three of these ways of monitoring access are available in the Solarwinds User Device Tracker (UDT). You can use UDT to create a watch list in which either the username or the laptop’s MAC address generate a notification upon login or connection.